If a policy should apply to all inbound mail, ensure it's set as "From Everyone, To Internal" (except for Impersonation Protect, which should be "External to Internal").

Consider if there are other policies that are taking precedence.

Q:

Our inbound mail is not being routed as expected. What could be the problem?

A:

First, confirm that your server's firewall is allowing connections to Mimecast. A test delivery route option can be used in your Delivery Routing definitions. The policies should also be scoped correctly (i.e. Everyone to Internal for all inbound mail) and the delivery recalculated if any changes were made to policies. Details can be gathered from theMonitoring | Delivery menu item in the Administration Console.

“Manual Permitted Sender" and "Auto-Allow” indicates that a managed senders entry was applied.

See the "Receipt Events" section of the Email Receipt and Delivery Views page for further information. Additionally, you can use the "Report As" buttons in the Administration Console to escalate the information to Mimecast Support.

Q:

How can we resolve spam false positives?

A:

Escalate the issue to Mimecast Support, providing an original copy of the message if possible. You may need to place in a password-protected zip to ensure it's safely received. See the Misreported Spam Messages page for further information.

Q:

How can we prevent certain users from sending spam outbound?

A:

Ensure the user does not have SMTP submission enabled, and place a block on the sender until internally resolved.

Anti-Spoofing

Q:

Why isn't our Anti-Spoofing policy working correctly?

A:

We recommend checking the following:

For IP-based bypass policies (Everyone to Everyone, Take No Action) ensure that the "Policy Override" option is enabled. View the Anti-Spoofing Bypass Policies page for details.

For SPF-based bypass policies, ensure the source IP is listed in the SPF record of the specified domain.

Attachment Management

Q:

Our Attachment Management policy is not being considered. What could be the issue?

Mimecast does not support custom Regex, and cases may only be escalated if you can prove the Regex triggered inappropriately. We recommend testing against regex101.com, or another testing platform.

Mimecast uses JavaScript for regular expressions.

Q:

Can more than one Content Examination policy be applied to the same message?

A:

Yes. Content Examination policies (like Targeted Threat Protection policies) don't stop processing a message once a policy is triggered. Take the example where there's one policy looking to hold messages sent to external addresses with the text "CC#", and another looking to send external messages securely if "DRUG CODE" is found. Should a message contain both "CC#" and "DRUG CODE", the message is held by the first policy, but released and send via Secure Messaging by the second policy.

Digest Sets

Q:

How can I ensure Digest Sets notifications are correctly received?

A:

We recommend checking the following:

Verify the schedule in the Digest Sets Definition, keeping time zones in mind. The Administration Console time is based on your Mimecast's account's Data Center location.

Check that the user has had mail held since the last digest they received.

Search the archive for a notification set subject (e.g. "messages on hold for") and see if there is one for the applicable user.

Greylisting

Q:

We have an active Greylisting Bypass policy, but we're still not receiving certain legitimate messages. How can this be resolved?

A:

Ensure theaddress / domainused in the bypass matches the "Envelope From" address of the message. Greylisting is only based on the envelope address. As the message has not yet been transmitted at the time of the check, Mimecast does not know the "Header From" address.

DNS Authentication

Q:

How can we ensure DNS Authentication policies are configured correctly?

A:

We recommend checking the following:

Confirm DNS records are properly configured.

Compare source IP to sending domain's SPF record.

Confirm that DKIM is not being signed at a hop previous to Mimecast (for outbound mail).

Check delivery headers of the message (if delivered or held) to see which DNS checks passed or failed.

Permitted / Blocked Senders

Q:

Why are our Permitted / Blocked Senders policies resulting in errors?

A:

We recommend checking the following:

Ensure default policies have not had IPs added to them.

If the word “manual” is mentioned in the rejection, the user’s Managed Senders may be conflicting with a Permit / Block policy. Refer to the "Usage Considerations" sections of the Permitted Senders and Blocked Senders policy pages for further considerations.

Secure Delivery

Q:

How can I ensure our outbound mail is secured via a Secure Delivery policy?

A:

Use a tool like CheckTLS.com to determine whether the recipient server is advertisingSTARTTLS,and whether they have a valid certificate. This confirms an insecure connection can be upgraded to a secure connection using SSL or TLS.